> I need to sniff a link that uses mpls headers. Does
> any one have some advice for doing this successfully?
>From http://www.snort.org/users/roesch/Site/Snort%203.0.html
"...most specifically the new protocol decoders that have been added
for Snort 3.0 including IPv6, MPLS, GRE and 802.1q as well as the new
TCP and IP option decoders."
I'd say Snort 3.0 is your best bet. Otherwise you're in uncharted
waters, I think. If you had to use 2.6.x right now, you might be able
to use something like mpls-linux and bridging and then have Snort
attach to the Ethernet bridge interface. I have no idea if that would
actually work, though.
PaulM